Skip to content


Copied from the NIST RMF website FISMA background

What is FISMA?

The Federal Information Security Management Act (FISMA) [FISMA 2002], part of the E-Government Act (Public Law 107-347) was passed in December 2002. FISMA 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

The Federal Information Security Modernization Act of 2014 amends FISMA 2002, by providing several modifications that modernize federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increases focus on the agencies for compliance and reporting that is more focused on the issues caused by security incidents. FISMA 2014 also required the Office of Management and Budget (OMB) to amend/revise OMB Circular A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing FISMA, the Office of Management and Budget (OMB) through Circular A-130, “Managing Federal Information as a Strategic Resource,” requires executive agencies within the federal government to:

  • Plan for security
  • Ensure that appropriate officials are assigned security responsibility
  • Periodically review the security controls in their systems
  • Authorize system processing prior to operations and, periodically, thereafter

What does FISMA require?

Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:

  • information collected/maintained by or on behalf of an agency
  • Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

Also, federal agencies need to “com[ply] with the information security standards” and guidelines, and mandatory required standards developed by NIST.

To whom does FISMA apply?

Federal agencies, contractors, or other sources that provide information security for the information and information systems that support the operations and assets of the agency.

What is a Federal Information System?

As defined in FISMA 2002, "[t]he term ‘Federal information system’ means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency."

NIST Risk Management Framework

Copied from the NIST RMF website FISMA background

The NIST Risk Management Framework (RMF), outlined in NIST Special Publication 800-37, provides a flexible, holistic, and repeatable 7-step process to manage security and privacy risk and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

The risk-based approach of the NIST RMF helps an organization:

  1. Prepare for risk management through essential activities critical to design and implementation of a risk management program.
  2. Categorize systems and information based on an impact analysis.
  3. Select a set of the NIST SP 800-53 controls to protect the system based on risk assessments.
  4. Implement the controls, and document how the controls are deployed.
  5. Assess the control implementation to determine if the controls are in place, operating as intended, and producing the desired results to manage risk.
  6. Authorize the system to operate by a senior-level official that understands the controls in place to manage risk and any residual risk.
  7. Continuously monitor control implementation and changes to the risks to the system.

We recommend reading NIST SP 800-37, Revision 2 in its entirety before embarking on your ATO journey, paying particular attention to information about ongoing authorization, automation, and aligning the RMF with the SDLC. Appendix F is important to understand as you move towards Ongoing Authorization. These excerpts are just to help set a baseline for the playbook.